Windows AutoPilot Device Preparation

Windows Autopilot's Device Preparation is it's new 'user-driven' workflow. Instead of IT staff registering all devices prior to giving them over to staff there's the option for the device to be shipped directly from an OEM to the end-user.

With minimal steps—powering the device, selecting locale, connecting to Wi-Fi, and signing in with Microsoft Entra credentials—the system automates the rest. The device automatically joins Microsoft Entra ID, enrolls in Intune, installs key apps, and runs essential scripts, streamlining setup for users while reducing IT workload.

Key Features:

• The device joins Microsoft Entra ID.

• Intune enrollment with preconfigured policies.

• Automated installation of up to 10 essential apps and PowerShell scripts.

This article covers the configuration steps for setting up Windows Autopilot device preparation using a user-driven Microsoft Entra join workflow.

Requirements:

Windows 11, version 23H2 with KB5035942 or later.

Windows 11, version 22H2 with KB5035942 or later.

Enrollment Config - Entra

Navigate to Entra with the following URL, allowing users to enroll devices.

https://portal.azure.com/#home

Then to Device Settings, Microsoft Entra ID > Devices (left hand Window) > Device Settings.

Allow 'All' users to join devices

Enrollment Config - Intune

Now navigate to Intune to configure the MDM User scope.

https://intune.microsoft.com/#home

Then to, Devices > Enrollment > Automatic Enrollment

Select 'All' for the MDM User Scope.

User and Device Group

A couple of Groups will be required to allow named Users the ability to enroll devices and for the Devices themselves.

From within Intune navigate to Groups.

Create a Security Group with a name that reflects its purpose eg:

AutoPilot_DevicePrepartion_Users.

Add named users or all users to this group.

Create a 2nd Security Group for devices, don't add any members.

Modify the Device Groups Owners.

Add the built-in service, provided by Microsoft 'Intune Provisioning Client' as the owner.

This will provide the 'Just in Time' rights for device auto enrollment.

AutoPilot Device Preparation

Navigate to Devices, Windows, Enrollment.

Select 'Device Preparation Policies'.

Provide a Name.

Add the 'AutoPilot_DevicePreparation_Device' Group.

Under Configuration Settings leave the defaults. I've added some Apps and scripts, the maximum is 10. For Applications to install the user must be a member of the deployment group.

Add the 'AutoPilot_DevicePrepartation_Users' group, these can be users who are part of the IT team that adds devices to Intune or all users.

Save

Deployment

Sign in with an approved account, then sit back while the magic happens

Links:

https://learn.microsoft.com/en-us/autopilot/device-preparation/tutorial/user-driven/entra-join-device-group